gpgmailsign v0.7a
-----------------
(c) 2003, 2004 Christoph Berg
This program is free software covered by the GPL.
This is the script I use to sign PGP/GnuPG keys. The script works for me but as
the GnuPG user interface is extremely braindamaged, it is very hard to make
sure it really does the right thing. I've tried to catch every possible error,
but you will certainly find bugs.
0. Prerequisites
You need the following programs:
* gpg
* q-agent and agpg from quintuple-agent
* expect (to interact with gpg/agpg)
Debian users can simply run
'apt-get install gnupg quintuple-agent expect'
1. How it works
The idea is as follows: As I like to verify mail addresses, I sign each uid
separately and mail the key with that signature to the mail address in the uid.
The mail is encrypted. The receiver is responsable to import the signature into
his keyring and upload it to a keyserver. I don't do that myself, so the mail
address is implicitely verified. A nice side-effect is that the receiver can
choose which uids he wants to have signed, they just do not import these
signatures -- some people don't want to blow up their keyring with lots of
signatures on uids they don't use (any more/often).
2. Running gpgmailsign
Set $PGPKEY to your own keyid (alternatively you can use gpgmailsign -u).
You can give multiple, comma-separated keyids.
$ export PGPKEY=0x12345678
Start q-agent:
$ eval `q-agent &`
Start agpg, enter your passphrase, and close agpg with ^D:
$ agpg
^D
Call gpgmailsign with the keyid you want to sign:
$ gpgmailsign [-rsv] [-u local_user{,...}] 87654321 ...
Alternatively you can write the uids to a file, one by line, and call
gpgmailsign -F keys.txt. After each signing, the keyid will be commented out in
the file to keep track of which uids have been signed.
gpgmailsign now calls gpg --list-key to get all uids of the key.
After creating a work directory (./work/) gpgmailsign prints the fingerprint of
the key and asks the user whether he wants to continue.
In the following, '' is the long (8 byte, 16 chars) keyid. (NB: the
short (4 byte, 8 chars) is the second half of the long id.)
The following steps are taken for each uid:
* If the uid does not contain a mail address, it is skipped.
* Your own key and the key to be signed are exported to
work/-.gpg.
* The key is stripped down to this uid and all unknown signatures are removed
using 'purgesigs' and the expect script 'purgesigs.expect'.
* If the uid is already signed, it is skipped.
* The uid is signed in work/-.gpg with all local keys using the
expect script 'sign.expect'.
* The template file 'key_instructions.txt' is translated to
work/-.txt, containing the signed key and some instructions.
* This file is encrypted and copied into work/.mail, using the template
file 'mail_template.txt'.
work/.mail is a shell script that uses the 'mail' command to send the
(encrypted) signature to the receipient. You can use 'sh' to execute it:
$ sh work/1234567887654321.mail
Options:
-f force output even without email address
-F file to read keys from, one keyid per line (will be modified)
-g name of gpg-agent wrapper (default: agpg)
-q do not ask for confirmation on startup
-r call gpg --recv-key before proceeding
-s send out mail immediately (default: write shell skript)
-v be verbose
-u key to sign with (comma-separated for multiple keys, default: use \$PGPKEY)
3. Known Bugs, Wishlist
* purgesigs randomly fails if gpg screws up the order of uids.
Fix: re-run gpgmailsign until it works
* agpg (q-agent) does not work with multiple keys if they have different
passphrases.
Fix: make the passphrases equal.
* Send out proper MIME messages.
* use gpg --status-fd etc.
4. Availability
The gpgmailsign homepage is http://www.df7cb.de/projects/gpgmailsign/.
Instructions for CVS access can be found at
http://www.df7cb.de/projects/anoncvs/, the module name is gpgmailsign.
5. Thanks
Thanks go to Andreas Steinel who helped to find several bugs in the gpg output
parsing. Tollef Fog Heen added code to skip revoked uids.
Christoph Berg
$Id: README,v 1.12 2004/07/08 18:01:27 cb Exp $